Office of the New York State Attorney General Releases Results of Credential Stuffing Investigation

On January 5, 2022, the Office of the New York State Attorney General (OAG) issued a report detailing the growing threat of credential stuffing attacks on businesses and consumers. The Office compiled information on username and password pairs from 17 well known online retailers, restaurant chains and food delivery services. This yielded more than 1.1 million accounts that were compromised in credential stuffing attacks.

The OAG reviewed and evaluated the effectiveness of a wide range of safeguards used to protect against automated credential stuffing attacks. Their report outlines some concrete steps that digital businesses can put in place to enhance their security stance and better secure the personally identifiable information (PII) of their customers. These included bot detection, multi-factor authentication and password-less authentication.

Credential Stuffing is on the Rise

In credential stuffing attacks, hackers use bots to quickly test stolen credentials on popular sites. These attacks are easy to carry out with little technical knowledge. According to the OAG, “attackers typically use free, easily accessible software capable of transmitting hundreds or thousands of login attempts simultaneously without human intervention.” The sheer volume of attempts means that hackers will likely walk away with a decent number of valid pairs even if the majority of their attempts fail.

And, unfortunately, credential stuffing is just the beginning. These attacks are almost always a first step in an account takeover (ATO): an attack in which hackers gain unauthorized access to a user account. From there, they can make fraudulent purchases using stored credit cards, steal gift cards and loyalty points, submit fake warranty claims and credit applications and commit other types of fraud — or sell the valid credentials on the dark web for others to use.

A recent investigation found that there are more than 15 billion user credentials up for sale on the dark web. And humans have a tendency to reuse usernames and passwords, so a single pair is likely valid on multiple sites. Whether hackers buy a list or source credentials themselves from PII harvesting or phishing attacks, the abundance of usernames and passwords up for grabs is contributing to a rise in credential stuffing and ATO attacks. It is no surprise that ATO attacks rank among the top cyberthreats across all industries.

WAFs, MFA and CAPTCHAs Aren’t Enough

In the report, the OAG lists web application firewalls (WAFs), CAPTCHAs and multi-factor authentication (MFA) as pieces of the puzzle — but emphasizes that none of these tools is sufficient to stop credential stuffing alone.

WAFs can protect against familiar threats — such as cross-site scripting, SQL injection, buffer overflow and DDoS attacks — but they are unable to recognize unknown bot threats in real-time. This includes bots that piggyback on the identities of real humans and mimic their behavior, as well as botnets that rotate through thousands of different IP addresses to bypass IP-based rules.

While CAPTCHAs were once effective at blocking bots, that efficacy has decreased significantly over time. According to the OAG, “software has become adept at solving many types of CAPTCHA challenges without human intervention.” If a human is needed, cybercriminals can tap into CAPTCHA farms, in which humans solve the CAPTCHA on the bot’s behalf and relay the authorization token. To add insult to injury, CAPTCHAs are frustrating for real human users, driving abandonment and lower conversion rates.

MFA can be quite effective, but it adds a great deal of friction to the user journey. Because of this, many organizations do not require it. Furthermore, hackers can steal verification codes sent via text message or email using SIM swapping and social engineering techniques. And in some cases, MFA fails due to faulty implementation. The OAG “uncovered evidence that more than 140,000 user accounts had been compromised in credential stuffing attacks against a business that used MFA because the authentication functionality had been implemented incorrectly, rendering it ineffective.”

How to Combat Credential Stuffing

The OAG highlights bot detection and mitigation as one of the most effective safeguards to stop credential stuffing attacks. According to the guide, “one restaurant chain reported to the OAG that its bot detection vendor had blocked more than 271 million login attempts over a 17-month period. Another company the OAG contacted saw more than 40 million login attempts blocked over a two month period.” In fact, 12 out of the 17 companies have implemented or have plans to implement a bot detection system.

Effective bot mitigation platforms can identify bot traffic even when it is disguised, such as by rotating through multiple IP addresses or device identifiers. Solutions that leverage behavioral analysis and predictive methods can detect and stop automated credential stuffing attacks before they affect your websites, web applications or APIs with unparalleled accuracy. And machine-learning algorithms evolve in real-time, getting more sophisticated as bots do.

Another effective solution highlighted by the OAG is threat intelligence to block online activities that use stolen usernames and passwords. This gives organizations an early warning signal that hackers are attempting to use compromised credentials on their site and alerts them to take mitigating action before any damage is done. Such solutions also inform real users that their credentials have been breached and trigger a password reset.

Regulators Are Demanding Accountability

The New York OAG office has been leading the pack in protecting consumers and Internet users from the implications of online identity theft. This has included investigating attacks and pursuing litigation to hold website owners accountable for addressing successful credential stuffing attacks.

Dunkin’ Brands Inc. agreed to pay $650,000 in penalties and costs due to credential stuffing attacks that gave hackers access to consumers’ Dunkin’ stored value cards, known as “DD cards.” These could be used to make purchases at Dunkin’ stores. The organization also notified and refunded hacked customers as a result of the lawsuit. This demonstrates that all personal data — even credentials tied only to relatively low-value DD cards — is subject to data privacy laws.

Stop the Cycle of Credential Stuffing and ATO Attacks

HUMAN has helped the largest and most reputable websites and mobile applications — perhaps those cited above — safeguard their consumers’ digital experience while disrupting the web attack lifecycle. Meet our HUMAN Bot Defender and Credential Intelligence solutions.

Bot Defender is a behavior-based bot management solution that blocks credential stuffing and ATO with outstanding accuracy. It protects websites, mobile applications and APIs from automated attacks, safeguarding your online revenue, competitive edge and brand reputation. Bot Defender features Human Challenge, a user-friendly verification system that protects against CAPTCHA-solving bots while also improving your users’ experience.

Blocking bots is critical and necessary, but it doesn’t prevent future attempts on its own because the same credentials might still be relevant on a different site. So, we developed Credential Intelligence to end the cycle once and for all. Using a proprietary database of usernames and passwords being used in active attacks and the dark web, the solution flags and stops the use of compromised credentials on every site that it protects.

Together, Bot Defender and Credential Intelligence - which is now generally available - create a layered defense that stops active and future account takeover attacks. We’d be happy to share more with you, and to help your business stop the lifecycle of these attacks. Contact us here for a demo.